SELinux is preventing zenity...
 

I have a UPS that sends an SNMP trap when the main power goes out.
I wrote my snmptrapd.conf file to execute a script when the trap is
received. The script simply calls zenity to pop up a message.

Here's my problem. If I start snmptrapd from the command line
everything works beautifully but if I have the system start it at boot
time or via System->Administration->Services, the trap gets logged
in /var/log/messages but the zenity window doesn't get displayed and I
get these SELinux messages in /var/log/messages.

SELinux is preventing the zenity from using potentially mislabeled
files (XO)...

SELinux is preventing zenity (snmpd_t) "name_connect" to <Unknown>
<xserver_port_t>...

I've looked at the ouput of

# ps -ef | grep snmptrapd

and it is identical in both cases so I don't understand why one works
and the other doesn't. I tried

# cat /var/log/messages | audit2allow -m local

but that just produced a file that said:

module local 1.0;

and nothing else.

I'm running RHEL5.4 with SELinux in enforcing mode.

Any help would be appreciated.

Thanks,
Steve

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

SELinux is preventing zenity...
 

On Thu, Dec 17, 2009 at 08:36:00PM -0500, Steve Blackwell wrote:
> I have a UPS that sends an SNMP trap when the main power goes out.
> I wrote my snmptrapd.conf file to execute a script when the trap is
> received. The script simply calls zenity to pop up a message.
>
> Here's my problem. If I start snmptrapd from the command line
> everything works beautifully but if I have the system start it at boot
> time or via System->Administration->Services, the trap gets logged

Because when you start it manually it gets executed in the users environment which is unrestricted/ unprotected in el5

> in /var/log/messages but the zenity window doesn't get displayed and I
> get these SELinux messages in /var/log/messages.
>
> SELinux is preventing the zenity from using potentially mislabeled
> files (XO)...
>
> SELinux is preventing zenity (snmpd_t) "name_connect" to <Unknown>
> <xserver_port_t>...
>
> I've looked at the ouput of
>
> # ps -ef | grep snmptrapd
>
> and it is identical in both cases so I don't understand why one works
> and the other doesn't. I tried
>
> # cat /var/log/messages | audit2allow -m local

The avc denial gets logged to /var/log/audit/audit.log:

ausearch -m avc -ts yesterday | grep snmpt_t | audit2allow -M mysnmp | semodule -i mysnmp.pp

>
> but that just produced a file that said:
>
> module local 1.0;
>
> and nothing else.
>
> I'm running RHEL5.4 with SELinux in enforcing mode.
>
> Any help would be appreciated.
>
> Thanks,
> Steve
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

SELinux is preventing zenity...
 

Steve Blackwell wrote:
>SELinux is preventing zenity (snmpd_t) "name_connect" to <Unknown>
><xserver_port_t>...
>
>I've looked at the ouput of
>
># ps -ef | grep snmptrapd
>
>and it is identical in both cases so I don't understand why one works
>and the other doesn't. I tried

# ps -Zef | grep snmptrapd

should show you the context of the running process.



Moray.
"To err is human.* To purr, feline"





--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

SELinux is preventing zenity...
 

On Fri, 18 Dec 2009 10:11:53 +0100
Dominick Grift <domg472@gmail.com> wrote:

> On Thu, Dec 17, 2009 at 08:36:00PM -0500, Steve Blackwell wrote:
> > I have a UPS that sends an SNMP trap when the main power goes out.
> > I wrote my snmptrapd.conf file to execute a script when the trap is
> > received. The script simply calls zenity to pop up a message.
> >
> > Here's my problem. If I start snmptrapd from the command line
> > everything works beautifully but if I have the system start it at
> > boot time or via System->Administration->Services, the trap gets
> > logged
>
> Because when you start it manually it gets executed in the users
> environment which is unrestricted/ unprotected in el5

OK, I see that now. I got a bit wrapped around the axel because
snmptrapd sometimes creates a file (I'm not quite sure
when) called /var/net-smpd/snmptrapd.conf and if I run
# /etc/rc.d/init.d/snmptrapd restart
as root it gets created with a snmpd_var_lib_t type but if I just
start snmptrapd from the command line as root it gets created with a
different type and then the system can't restart snmptrapd because it
doesn't have permission to write to that file. ... I think...

>
> > in /var/log/messages but the zenity window doesn't get displayed
> > and I get these SELinux messages in /var/log/messages.
> >
> > SELinux is preventing the zenity from using potentially mislabeled
> > files (XO)...
> >
> > SELinux is preventing zenity (snmpd_t) "name_connect" to <Unknown>
> > <xserver_port_t>...
> >
> > I've looked at the ouput of
> >
> > # ps -ef | grep snmptrapd
> >
> > and it is identical in both cases so I don't understand why one
> > works and the other doesn't. I tried
> >
> > # cat /var/log/messages | audit2allow -m local
>
> The avc denial gets logged to .:
>
> ausearch -m avc -ts yesterday | grep snmpt_t | audit2allow -M mysnmp
> | semodule -i mysnmp.pp

This was also confusing me because I had auditd turned off and so the
avc denials are supposed to go to /var/log/messages but it seems that
some still went to /var/log/audit/audit.log.

Anyhow running this command helped in that I don't get any more avc
denials logged but I still don't see my dialog popup. I'm going to try
this again starting with a clean log.

I have a few questions if you have the time to answer them.

I have been reading this:
http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index.html
and this:
http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index.html
which I found quite useful but they are way out of date. Is there
anything comparable that is current?

My understanding is that a .te is a policy configuration file, a text
file and that a .pp file is a policy package, a binary file. Does
the .te file get "compiled" into a .pp file and if so how does this
happen?

I read that the policy directory for Fedora systems is
/etc/security/selinux/src/policy
but neither the RHEL5.4 system at work nor my Fedora 11 system at home
has such a directory and the only .te file is in
/usr/share/selinux/devel.
Where is the accepted location to put .te files?

Is there a way to "see" what a .pp file is doing? A disassembly of
sorts. I'd like to look at some examples. There are plenty of .pp files
in /etc/selinux/targeted/modules/active/modules.

Thanks,
Steve
> >
> > but that just produced a file that said:
> >
> > module local 1.0;
> >
> > and nothing else.
> >
> > I'm running RHEL5.4 with SELinux in enforcing mode.
> >
> > Any help would be appreciated.
> >
> > Thanks,
> > Steve
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

SELinux is preventing zenity...
 

On 21/12/09 02:25, Steve Blackwell wrote:

On Fri, 18 Dec 2009 10:11:53 +0100
Dominick Grift<domg472@gmail.com> wrote:



On Thu, Dec 17, 2009 at 08:36:00PM -0500, Steve Blackwell wrote:


I have a UPS that sends an SNMP trap when the main power goes out.
I wrote my snmptrapd.conf file to execute a script when the trap is
received. The script simply calls zenity to pop up a message.

Here's my problem. If I start snmptrapd from the command line
everything works beautifully but if I have the system start it at
boot time or via System->Administration->Services, the trap gets
logged


Because when you start it manually it gets executed in the users
environment which is unrestricted/ unprotected in el5


OK, I see that now. I got a bit wrapped around the axel because
snmptrapd sometimes creates a file (I'm not quite sure
when) called /var/net-smpd/snmptrapd.conf and if I run
# /etc/rc.d/init.d/snmptrapd restart
as root it gets created with a snmpd_var_lib_t type but if I just
start snmptrapd from the command line as root it gets created with a
different type and then the system can't restart snmptrapd because it
doesn't have permission to write to that file. ... I think...




in /var/log/messages but the zenity window doesn't get displayed
and I get these SELinux messages in /var/log/messages.

SELinux is preventing the zenity from using potentially mislabeled
files (XO)...

SELinux is preventing zenity (snmpd_t) "name_connect" to<Unknown>
<xserver_port_t>...

I've looked at the ouput of

# ps -ef | grep snmptrapd

and it is identical in both cases so I don't understand why one
works and the other doesn't. I tried

# cat /var/log/messages | audit2allow -m local


The avc denial gets logged to .:

ausearch -m avc -ts yesterday | grep snmpt_t | audit2allow -M mysnmp
| semodule -i mysnmp.pp


This was also confusing me because I had auditd turned off and so the
avc denials are supposed to go to /var/log/messages but it seems that
some still went to /var/log/audit/audit.log.

Anyhow running this command helped in that I don't get any more avc
denials logged but I still don't see my dialog popup. I'm going to try
this again starting with a clean log.

I have a few questions if you have the time to answer them.

I have been reading this:
http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index.html
and this:
http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index.html
which I found quite useful but they are way out of date. Is there
anything comparable that is current?

My understanding is that a .te is a policy configuration file, a text
file and that a .pp file is a policy package, a binary file. Does
the .te file get "compiled" into a .pp file and if so how does this
happen?

I read that the policy directory for Fedora systems is
/etc/security/selinux/src/policy
but neither the RHEL5.4 system at work nor my Fedora 11 system at home
has such a directory and the only .te file is in
/usr/share/selinux/devel.
Where is the accepted location to put .te files?

Is there a way to "see" what a .pp file is doing? A disassembly of
sorts. I'd like to look at some examples. There are plenty of .pp files
in /etc/selinux/targeted/modules/active/modules.

Thanks,
Steve


but that just produced a file that said:

module local 1.0;

and nothing else.

I'm running RHEL5.4 with SELinux in enforcing mode.

Any help would be appreciated.

Thanks,
Steve

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


Steve,
we have two selinux docs in the fedora docs at
http://docs.fedoraproject.org/
Also maybe Daniels Blog might be useful to you @
http://danwalsh.livejournal.com/

There are more, but I cant think of them at the moment. If you harass
fenris02 in #fedora, and ask him for the SElinux links,he has got a
script that

blahs them out.

Regards,
Tristan

--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore@internexusconnect.net

Thawte Notary

For Fedora related issues, please email me at:
TSantore@fedoraproject.org


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

SELinux is preventing zenity...
 

On Mon, 21 Dec 2009 03:06:55 +0000
Tristan Santore <tristan.santore@internexusconnect.net> wrote:

>
> > I have been reading this:
> > http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index.html
> > and this:
> > http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index.html
> > which I found quite useful but they are way out of date. Is there
> > anything comparable that is current?

> Steve,
> we have two selinux docs in the fedora docs at
> http://docs.fedoraproject.org/
> Also maybe Daniels Blog might be useful to you @
> http://danwalsh.livejournal.com/
>
> There are more, but I cant think of them at the moment. If you harass
> fenris02 in #fedora, and ask him for the SElinux links,he has got a
> script that
> blahs them out.
>
> Regards,
> Tristan
>
Thanks, I'll check those out.
Steve

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

SELinux is preventing zenity...
 

On Sun, Dec 20, 2009 at 09:25:58PM -0500, Steve Blackwell wrote:
> On Fri, 18 Dec 2009 10:11:53 +0100
> Dominick Grift <domg472@gmail.com> wrote:
>
> > On Thu, Dec 17, 2009 at 08:36:00PM -0500, Steve Blackwell wrote:
> > > I have a UPS that sends an SNMP trap when the main power goes out.
> > > I wrote my snmptrapd.conf file to execute a script when the trap is
> > > received. The script simply calls zenity to pop up a message.
> > >
> > > Here's my problem. If I start snmptrapd from the command line
> > > everything works beautifully but if I have the system start it at
> > > boot time or via System->Administration->Services, the trap gets
> > > logged
> >
> > Because when you start it manually it gets executed in the users
> > environment which is unrestricted/ unprotected in el5
>
> OK, I see that now. I got a bit wrapped around the axel because
> snmptrapd sometimes creates a file (I'm not quite sure
> when) called /var/net-smpd/snmptrapd.conf and if I run
> # /etc/rc.d/init.d/snmptrapd restart
> as root it gets created with a snmpd_var_lib_t type but if I just
> start snmptrapd from the command line as root it gets created with a
> different type and then the system can't restart snmptrapd because it
> doesn't have permission to write to that file. ... I think...
>
> >
> > > in /var/log/messages but the zenity window doesn't get displayed
> > > and I get these SELinux messages in /var/log/messages.
> > >
> > > SELinux is preventing the zenity from using potentially mislabeled
> > > files (XO)...
> > >
> > > SELinux is preventing zenity (snmpd_t) "name_connect" to <Unknown>
> > > <xserver_port_t>...
> > >
> > > I've looked at the ouput of
> > >
> > > # ps -ef | grep snmptrapd
> > >
> > > and it is identical in both cases so I don't understand why one
> > > works and the other doesn't. I tried
> > >
> > > # cat /var/log/messages | audit2allow -m local
> >
> > The avc denial gets logged to .:
> >
> > ausearch -m avc -ts yesterday | grep snmpt_t | audit2allow -M mysnmp
> > | semodule -i mysnmp.pp
>
> This was also confusing me because I had auditd turned off and so the
> avc denials are supposed to go to /var/log/messages but it seems that
> some still went to /var/log/audit/audit.log.
>
> Anyhow running this command helped in that I don't get any more avc
> denials logged but I still don't see my dialog popup. I'm going to try
> this again starting with a clean log.
>
> I have a few questions if you have the time to answer them.
>
> I have been reading this:
> http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index.html
> and this:
> http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index.html
> which I found quite useful but they are way out of date. Is there
> anything comparable that is current?

I recently wrote a bit about the policy structure in Fedora 12 , that also applies to 11 and to some degree el5.

its here: http://82.197.205.60/~dgrift/stuff/Managing_a_SELinux_environment_with_Fedora_12.pdf

its not detailed though.
>
> My understanding is that a .te is a policy configuration file, a text
> file and that a .pp file is a policy package, a binary file. Does
> the .te file get "compiled" into a .pp file and if so how does this
> happen?

the .te , .fc and .if files make a complete source policy module. yes. A binary representation of this (.pp) is what gets loaded "into the kernel"

This is done via the checkmodule and semodule_package commands. We usually use the installed /usr/share/selinux/devel/Makefile to do this (requires selinux-policy-devel on el5)

> I read that the policy directory for Fedora systems is
> /etc/security/selinux/src/policy
> but neither the RHEL5.4 system at work nor my Fedora 11 system at home

I think that is old (el4/fc4/5?)

> has such a directory and the only .te file is in
> /usr/share/selinux/devel.
> Where is the accepted location to put .te files?
>

.te files is source policy. It should not get installed. The only source policy file that can get installed is the .if source policy file. This file is kind of like a header file. It has shared policy that can be used by other modules to interact with that modules' type.

> Is there a way to "see" what a .pp file is doing? A disassembly of
> sorts. I'd like to look at some examples. There are plenty of .pp files
> in /etc/selinux/targeted/modules/active/modules.

The is not pp disassembler but the sesearch command can be used to query the installed policy. (part of setools)
>
> Thanks,
> Steve
> > >
> > > but that just produced a file that said:
> > >
> > > module local 1.0;
> > >
> > > and nothing else.
> > >
> > > I'm running RHEL5.4 with SELinux in enforcing mode.
> > >
> > > Any help would be appreciated.
> > >
> > > Thanks,
> > > Steve
> > >
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list@redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

SELinux is preventing zenity...
 

On 12/20/2009 11:36 PM, Steve Blackwell wrote:
> On Mon, 21 Dec 2009 03:06:55 +0000
> Tristan Santore <tristan.santore@internexusconnect.net> wrote:
>
>>
>>> I have been reading this:
>>> http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index.html
>>> and this:
>>> http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index.html
>>> which I found quite useful but they are way out of date. Is there
>>> anything comparable that is current?
>
>> Steve,
>> we have two selinux docs in the fedora docs at
>> http://docs.fedoraproject.org/
>> Also maybe Daniels Blog might be useful to you @
>> http://danwalsh.livejournal.com/
>>
>> There are more, but I cant think of them at the moment. If you harass
>> fenris02 in #fedora, and ask him for the SElinux links,he has got a
>> script that
>> blahs them out.
>>
>> Regards,
>> Tristan
>>
> Thanks, I'll check those out.
> Steve
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
Steve are you all set now, or do you still need help?

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list